For configuring high availability for LDAP in keystone one
needs to edit /etc/openldap/ldap.conf. This worked
before control plane was containerised. Mounting the
openldap configuration into the keystone container
restores the previous behavior.
Change-Id: Id0d73a8ab0ddf7bf9e2b76ea14ffc9acff3a0ad3
Closes-Bug: #1923048
Resolves: rhbz#1944466
With I57047682cfa82ba6ca4affff54fab5216e9ba51c Heat has added
a new template version for wallaby. This would allow us to use
2-argument variant of the ``if`` function that would allow for
e.g. conditional definition of resource properties and help
cleanup templates. If only two arguments are passed to ``if``
function, the entire enclosing item is removed when the condition
is false.
Change-Id: I25f981b60c6a66b39919adc38c02a051b6c51269
This changes all these parameters as heat would correctly
parse all values. Also, drops all yaql shenanigans
used for their handling and heat conditions.
Also fixes wrong usage of non-existent NeutronWrapperDebug
parameter in ovn-metadata-container-puppet.yaml.
We had converted all ``Debug`` parameters to boolean with
Ib6c3969d4dd75d5fb2cc274266c060acff8d5571.
Change-Id: Ia2bffffde34aa248a4cc60c3895464f1f9d1ded2
In 1ceb521805 we added these and
can be simplified as they are are boolean parameters to get
rid of the redundant heat intrinsic functions.
Change-Id: I3851187c83965db5ecafcc945bff1fe3a5aa9ff4
This is using linux-system-roles.certificate ansible role,
which replaces puppet-certmonger for submitting certificate
requests to certmonger. Each service is configured through
it's heat template.
Partial-Implements: blueprint ansible-certmonger
Depends-On: https://review.rdoproject.org/r/31713
Change-Id: Ib868465c20d97c62cbcb214bfc62d949bd6efc62
This was mainly there as an legacy interface which was
for internal use. Now that we pull the passwords from
the existing environment and don't use it, we can drop
this.
Reduces a number of heat resources.
Change-Id: If83d0f3d72a229d737a45b2fd37507dc11a04649
Change Ib4f918c01e2fc71eedf7e6c90ca1dc5ccf8ff688 removed the cinder v2
API keystone service and endpoints. However some applications fail to
detect the supported cinder API versions and still default to v2.
See for example how Gophercloud [1] selects which API version to use.
This changes the default cinder API to v3 in the generated cloud config.
[1] https://github.com/gophercloud/utils/blob/6f54843/openstack/clientconfig/requests.go#L902-L918
Change-Id: I3fb719c2b8c92d2aebb76698674ada6b69ad2c8f
Convert the NotificationDriver to a comma_delimited_list.
This will still not break existing templates because passing
a string is still completely valid. This is done so that the hiera keys
will be passed down as lists.
The oslo::messaging::notifications::driver expects a list anyway so this
won't break things and will allow us to actually specify multiple
notification drivers correctly. The change that allowed
oslo::notifications to use both strings and lists is
If65946412b42e0919456ed92fdd8e3788ad67872 (Messaging notifications
should be set as a list)
Related-Bug: #1851629
Change-Id: I24c860cd3121e5c307233864818ca86967ff6d72
The AdminEmail parameter has had no effect since we introduced keystone
bootstrap command to create a set of bootstrap resource, because the
bootstrap command doesn't support user email.
This change removes that useless command.
Change-Id: I14557a69301ba5c18205702d929b4ffe6b7c8040
Currently we disable Telemetry services like Ceilometer by defaut,
which means that we don't have any consumers for notification messages.
So NotificationDriver should be set as noop by default so that we don't
have unconsumed messages in notification queues.
Change-Id: I1d05749c94bd58ad4badafa7d9755009cb4b64af
Closes-Bug: #1869355
When public_endpoint parameter is set, keystone composes request urls
from that parameter. However this can cause incorrect url detection
especially for requests coming from admin endpoint, because we use
different urls for each endpoints (admin/internal/public) in TripleO
deployment.
This patch unsets that public_endpoint parameter and makes keystone
detect request urls by headers passed from haproxy.
Closes-bug: #1889017
Depends-on: https://review.opendev.org/#/c/742349/
Change-Id: Ib5f017e95f961c04da3201d75ed17424e168b270
Now that the FFU process relies on the upgrade_tasks and deployment
tasts there is no need to keep the old fast_forward_upgrade_tasks.
This patch removes all the fast_forward_upgrade_tasks section from
the services, as well as from the common structures.
Change-Id: I39b8a846145fdc2fb3d0f6853df541c773ee455e
Currently TripleO doesn't use keystone::bootstrap class, but it
implements command execution as a docker_config task.
This patch removes all useless puppet parameters for the class.
Change-Id: I7d38c15b9e62e4d82d2e4ce6e17fb6d348a41d01
We've been using InternalTLSCAFile parameter when enabling
public TLS for undercloud and is quite confusing. We recently
changed to use it in clouds.yaml and it would break when
both public and internal TLS are enabled for overcloud and both
use different CA certs. This adds a new parameter which we
will use in clouds.yaml, that would default to empty string
assuming that the certificates are trusted.
Closes-Bug: #1883818
Change-Id: Id6f612a91255b3158be821c363ca852c6b5d7496
Depends-On: https://review.opendev.org/737998
For containers which run httpd, make sure conf.modules.d is also synced
into the container; so apache doesn't fail with:
AH00534: httpd: Configuration error: More than one MPM loaded.
This is now required since:
6425cc46a8
Change-Id: Ib315d10dbdbbad1628f536a74cd1fca371f018f5
Closes-Bug: #1884115
We need to add the cacert for both undercloud and overclud
in clouds.yaml
Closes-Bug: #1878540
Depends-On: https://review.opendev.org/728358
Change-Id: I1f209bcae7707af2c8653ad21f69097f81ec6947
When checking if keystone/nova healthchecks are healthy, make sure the
registered fact is set (which can slip to a further retry if podman
inspect took too much time to execute).
That way, we process the retries without an error like found in the bug
report.
Change-Id: I9f5063c9c3b598afd5bd01447f00a1146a20f4c3
Closes-Bug: #1878063
This patch migrates hieradata definition about cahe usage in openidc
integration from puppet-tripleo to tripleo-heat-templates, so that we
can implement a new parameter to disable caching with memcache in tht.
Change-Id: Id791ea923ce15208fca69ccdc7faa5f0bdbfcf2a
They were disabled until the native podman healthcheck was integrated in
tripleo-ansible and it finally merged; so we can remove that safeguard
and it should be working.
Change-Id: I03361c33e54f0c8e71b420b144464ccb29a1ca4e
The systemd healthchecks are moving away, so we can use the native
podman healthchecks interface.
See I37508cd8243999389f9e17d5ea354529bb042279 for the whole context.
This patch does the following:
- Migrate the healthcheck checks to use podman inspect instead of
systemd service status.
- Force the tasks to not run, because we first need
https://review.opendev.org/#/c/720061 to merge
Once https://review.opendev.org/#/c/720061 is merged, we'll remove the
condition workaround and also migrate to unify the way containers are
checked; and use the role in tripleo-validations.
Depends-On: https://review.opendev.org/720283
Change-Id: I7172d81d305ac8939bee5e7f64960b0a9fea8627
Current puppet modules uses only absolute name to include classes,
so replace relative name by absolute name in template files so that
template description can be consistent with puppet implementation.
Change-Id: I7a704d113289d61ed05f7a31d65caf2908a7994a
The following classes and parameters were deprecated in puppet-keystone
when keystone::bootstrap was added, and we don't need to set them
anymore because now we use new parameters.
- keystone::roles::admin
- keystone::endpoint
- keystone::admin_token
- keystone::admin_password
[1] I683fcdd743bddf6d4e989dd7e7c553db745934db
Change-Id: Id810756819505df1b21a86798bce1761515a001a
We recently patched puppet-keystone and puppet-openstacklib to set
KeystoneWorkers to a reasonable default given the consolidation of two
keystone processes into a single keystone process (keystone-main and
keystone-admin):
https://review.opendev.org/#/c/702031/13https://review.opendev.org/#/c/705041/3
This patch updates THT to ensure we're using the new variable that's
dedicated to keystone's process count.
This ensures there isn't a performance regression due to reduced process
counts when upgrading to newer OpenStack versions because the keystone
applications were consolidated in puppet-keystone.
Change-Id: I47506181c38b9363b9c82c536e7c9d7d765f093f
- deploy-steps-tasks-step-1.yaml: Do not ignore errors when dealing
with check-mode directories. The file module is resilient enough to
not fail if the path is already absent.
- deploy-steps-tasks.yaml: Replace ignore_errors by another condition,
"not ansible_check_mode"; this task is not needed in check mode.
- generate-config-tasks.yaml: Replace ignore_errors by another
condition, "not ansible_check_mode"; this task is not needed in check mode.
- Neutron wrappers: use fail_key: False instead of ignore_errors: True
if a key can't be found in /etc/passwd.
- All services with service checks: Replace "ignore_errors: true" by
"failed_when: false". Since we don't care about whether or not the
task returns 0, let's just make the task never fail. It will only
improve UX when scrawling logs; no more failure will be shown for
these tasks.
- Same as above for cibadmin commands, cluster resources show
commands and keepalived container restart command; and all other shell
or command or yum modules uses where we just don't care about their potential
failures.
- Aodh/Gnocchi: Add pipefail so the task isn't support to fail
- tripleo-packages-baremetal-puppet and undercloud-upgrade: check shell
rc instead of "succeeded", since the task will always succeed.
Change-Id: I0c44db40e1b9a935e7dde115bb0c9affa15c42bf
KeystoneOpenIdcEnableOAuth currently creates a hiera entry
"keystone::federation::openidc::openidc_oauth_enabled", however this doesn't
exist, it's "keystone::federation::openidc::openidc_enable_oauth"
Change-Id: I867e0bcbfc54d759be85cb572413ad46d139d668
... or Ansible will use the default "openstack" cloud, which isn't good.
We need to create domains in the actual overcloud.
Change-Id: I129d7355364c87c40f51372b402620790a31ec81
To avoid empty volumes like:
{
(...)
"volumes": [
"/etc/puppet:/etc/puppet:ro",
(...)
"",
""
],
}
Replace '' by [], so heat won't create an item in the list.
It helps to have idempotent containers, since podman_container module
will compare the list of volumes that is given in parameters (containing
the empty entries) vs the list of volumes actually in podman inspect.
Replacing to [] clears out empty volumes and makes these containers
idempotent when podman_container module is used to deploy containers.
Change-Id: I228b01009e7d9980bee5480778dbc88b9e226297
The next iteration of fast-forward-upgrade will be
from queens through to train, so we update the names
accordingly.
Change-Id: Ia6d73c33774218b70c1ed7fa9eaad882fde2eefe
Roles can no longer have a "-" in them according to the upstream ansible
documentation. This change updates the name of the role called as an
inflight validations from THT.
Depends-On: I19bb587ece403f86ddd0bbe174c282326500cfd3
Change-Id: I62014508358a83166f2c1d2838fde037f3645d20
Signed-off-by: Gael Chamoulaud (Strider) <gchamoul@redhat.com>
Certain config containers might need to be replaced and re-run
regardless of whether configuration changes on update and upgrade.
Adding the DeployIdentifier to the env will ensure that they are.
Change-Id: I150212ebac3fed471ffb4e7ed7b6eb6c7af3fad9
Closes-Bug: #1860571
Ansible has decided that roles with hypens in them are no longer supported
by not including support for them in collections. This change renames all
the roles we use to the new role name.
Depends-On: Ie899714aca49781ccd240bb259901d76f177d2ae
Change-Id: I4d41b2678a0f340792dd5c601342541ade771c26
Signed-off-by: Kevin Carter <kecarter@redhat.com>
Replace the python script that was run on post-config, by an Ansible
task running on the host where Keystone is running.
It'll be useful later when using OpenStackSDK to have access to the
credentials during the deployment and not having to wait the far end.
It's also reducing the Heat resources.
Depends-On: https://review.opendev.org/#/c/700015
Change-Id: I585abc3e6a3b9b8ae9183e0b5170df2e39301e17
Service name for bootstrap should be named 'keystone' to match with what
Puppet creates, so we don't end up with multiple 'identity' services and
endpoints.
Change-Id: I9dc5bbd4de28e92e2b6161eb12cb92680f4363bd
https://review.opendev.org/#/c/692664 is adding a new provider to handle
the auth token information for keystone. We need to include it in our
container generation so the file is generated.
Change-Id: Ie21f25e237e1176a8e9dfd741e85033a5462c3b5
Keystone bootstrap can also be passed with additional endpoint
information. This will populate the initial catalog.
Change-Id: I3e9c1df82b4dfc94253688038215a66ded365a95
When podman parses such volume map it removes the slash
automatically and shows in inspection volumes w/o slash.
When comparing configurations it turns to be a difference and
it breaks idempotency of containers, causing them to be recreated.
Change-Id: Ifdebecc8c7975b6f5cfefb14b0133be247b7abf0
This patch is fixing following issues, which makes rsyslog service
to fail to start successfully:
- Changes LoggingSource configuration key 'path' to 'file' for various services
- Fixes LoggingSource configuration key 'startmsg.regex' for pacemaker
- Removes nonexistent log files from LoggingSource of keystone
Change-Id: I7fe6456a1d2a3ba4300a82c57b76774152422250
Grzegorz Grasza
ramishra
Martin André
Takashi Kajinami
Michele Baldessari
Tobias Urdin
Jose Luis Franco Arza
Emilien Macchi
Lance Bragstad
Mark Chappell
Jesse Pretorius (odyssey4me)
Gael Chamoulaud (Strider)
Brent Eagles
Kevin Carter
Alex Schultz
Sagi Shnaidman
Martin Magr